Sub-Processors

Last Updated: December 2024

This page lists third-party sub-processors that Wellness Research Institute LLC, D/B/A Shortlister (“Shortlister”) uses to provide our Services. These sub-processors may process personal data submitted to or collected through the Shortlister platform.

Notification of Changes

We will notify customers of any new sub-processors or changes to existing sub-processors through:

  • Email notification to account administrators
  • Platform notifications (for logged-in users)
  • Updates to this page (check the “Last Updated” date)

Customers have 30 days from notification to object to any new sub-processor. If we cannot resolve your objection, you may terminate the affected Services.

Current Sub-Processors

Infrastructure & Hosting

Sub-Processor 

Location 

Services Provided 

Data Processed 

Amazon Web Services (AWS)  

United States  

Cloud hosting, data storage, computing services  

All platform data including personal data  

Cloudfront 

United States  

Content delivery network  

IP addresses, technical access data  

Communication Services 

Sub-Processor 

Location 

Services Provided 

Data Processed 

Mandrill (Mailchimp)  

United States  

Transactional email delivery  

Email addresses, email content  

Business Operations

Sub-Processor 

Location 

Services Provided 

Data Processed 

Braintree (PayPal)  

United States  

Payment processing  

Billing information, payment details  

QuickBooks (Intuit)  

United States  

Accounting and invoicing  

Customer billing information  

Adobe Acrobat  

United States  

Electronic signatures  

Name, email, signed documents  

Authentication & Security

Sub-Processor 

Location 

Services Provided 

Data Processed 

Okta  

United States  

Single sign-on (SSO), identity management  

Authentication credentials, SSO metadata  

Analytics & Monitoring

Sub-Processor 

Location 

Services Provided 

Data Processed 

Google Analytics  

United States  

Website analytics  

Anonymized usage data, cookies  

AWS Cloudwatch 

United States  

Application performance monitoring  

Technical logs, performance metrics  

Mixpanel 

United States  

Application analytics  

Anonymized usage data, cookies  

Data Processing & Integration

Sub-Processor 

Location 

Services Provided 

Data Processed 

HubSpot  

United States  

Marketing automation  

Marketing contacts, engagement data  

Sub-Processor Security

All sub-processors are required to:

  • Maintain appropriate technical and organizational security measures
  • Process personal data only on our documented instructions
  • Ensure personnel are subject to confidentiality obligations
  • Assist with data protection obligations
  • Delete or return personal data upon termination
  • Allow for and contribute to audits

Data Transfer Safeguards

For sub-processors in the United States or other countries without EU/UK adequacy decisions, we implement appropriate safeguards:

  • EU Data: EU Standard Contractual Clauses (Module 3: Processor to Sub-Processor)
  • UK Data: UK International Data Transfer Agreement or UK Addendum to EU SCCs
  • Other Safeguards: Additional security measures as required by applicable law

Geographic Data Centers

Primary data processing occurs in the following AWS regions:

  • Primary: US-East-1 (Northern Virginia)
  • Backup: US-West-2 (Oregon)
  • CDN Edge Locations: Global (via Cloudflare

Contact Information

For questions about our sub-processors or to object to a new sub-processor:

Email: privacy@myshortlister.com
Subject Line: “Sub-Processor Inquiry”

Data Protection Officer
Wellness Research Institute LLC
310 Busse Hwy, #386 Park Ridge,
IL 60068

Objection Process

To object to a new sub-processor:

  1. Submit your objection within 30 days of notification
  2. Include the specific sub-processor and reason for objection
  3. We will work with you to address concerns
  4. If unresolved, you may terminate affected Services without penalty

Updates to This List

This list is reviewed and updated quarterly or when sub-processor changes occur. The “Last Updated” date at the top of this page indicates the most recent revision.

This sub-processor list is part of our commitment to transparency and GDPR/UK GDPR compliance. It should be read in conjunction with our Data Processing Agreement, Privacy Policy, and Terms of Use.